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Why android? 



Smartphones now make up 40% of all mobile phones in the US 



Smartphone Penetration 
May "II - Jul "11, Mobile Insights, US 



Smartphone OS Share 
May 11 - Jul 11, Mobile Insights, US 




Windows Mobile 7% 
Other S% 



Windows Phone 7; 1% 
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Nielsen, Sept 2011 
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Why Android? 



Android is a big player in the 
mobile smartphone arena. 

Every major carrier has multiple 
Android based devices 

Android smartphones typically 
get some of the "latest and 
greatest" technologies, such as 
the newer 4G networks, NFC, 
and screens that are easier to 
see in daylight. 




SecureWorks 



How it is: Basics 

• Modern phones are as powerful as laptops 

• Android around since -2009 

• Different model than Apple, Blackberry, etc 

• Open market model (Apple "vets" apps) 

• Open source project (mostly) 

• Applications have special "app level permissions'" 

• None allow you to really administer your device 



How it is: Boot Process 



Boot ROM 
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Zygote 



Much like a typical 
Linux boot 
process 

Apps are run in a 
JVM, but the 
seperation is 
provided by Linux 

Boot process is 
unauthenticated 
and can be 
hijacked 



How it is: 


Partition Layout 










/dev/mtd/mtdO 


Pds 


yaffs2 


/config 


Config data 


/dev/mtd/mtdl 


misc 






Memory partitioning data 


/dev/mtd/mtd2 


boot 


bootimg 




Typical boot image 


/dev/mtd/mtd3 


recovery 


bootimg 




Recovery mode boot image 


/dev/mtd/mtd4 


system 


yaffs2 


/system 


System files, system apps, 
etc 


/dev/mtd/mtd5 


cache 


yaffs2 


/cache 


Cache files 


/dev/mtd/mtd6 


userdata 


yaffs2 


/data 


User data (apps, settings, 
etc) 


/dev/mtd/mtd7 


kpanic 






Crash Log 



Towards a General Collection Methodology for Android Devices, DFRWS2011 
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How it is: App permissions 



B.G9A 



E3 



§ HIS 8:24 P 



anced Battery free 



This application has access to the 
following: 

A Your location 

fine (GPS) location 

A Network communication 

create Bluetooth connections, full 
Internet access 

A Hardware controls 

take pictures 

A Phone calls 

modify phone state 

A System tools 

bluetooth administration, change Wi-Fi 
state, modify global system settings, 
prevent phone from sleeping, restart 
other applications, retrieve running 
applications, write Access Point Name 
settings, write sync settings 



Access to system 
resources are 
granted through 
application level 
permissions 

People tend to 
disregard them 



BRICK 

BROADCAST_PACKAGE_REMOVED 

BROADCAST_SMS 

BROADCAST_STICKY 

BROADCAST_WAP_PUSH 

CALL_PHONE 

CALL_PRIVILEGED 

CAMERA 

CHANGE_COMPONENT_ENABLED_STATE 

CHANGE_CONFIGURATION 

CHANGE_NETWORK_STATE 

C HANGE_WIFLMULTICAST_STATE 

CHANGE_WIFI_STATE 

CLEAR_APP_CACHE 

CLEAR_APP_USER_DATA 

CONTROLJ.OCATIONJJPDATES 

DELETE_CACHE_FILES 

DELETE_PACKAGES 

DEVICE_POWER 

DIAGNOSTIC 

DISABLEJCEYGUARD 

DUMP 

EXPAND_STATUS_BAR 

FACTORY_TEST 

FLASHLIGHT 



FORCE_BACK 



GET_ACCOUNTS 



GET_PACKAGE_SIZE 
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How it is: App permissions 

. Bad combos 

. SMS when not needed 

. READ_LOGS supersedes many permissions 

. INTERNET and READ_CONTACTS 

. INTERNET and INSTALL_PACKAGES 

. INTERNET and ALMOST_EVERYTHING 

. Unfortunately many free apps require 
network so ads can be retrieved 



Bad apps 

. Spoofed 

. Netflix 
. Repackaged / grafted 

. MonkeyJump 
. Spyware 

. Stealth* 
. Greyware 

. Almost everything else 
. Rooting 

. Is ok, but some apps do it when you don't know 

. RootSmart 



Repackaging 




lb) Extract 
Mobile 
application 



2) Add Malware 
& Repackage 
Application 
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Unlike typical malware... 

. Most malware is delivered from a portal 
known as a market place 

. By default phones don't allow sources other 
than the official 

. Apps can be set to start automatically after boot, 
upon SMS arrival upon installation of another 
app, really a lot of different events (intents) 

. Your phone might come with bad stuff on it 

. As HTC nicely demonstrated with an 
unauthenticated port 



What are the percents really? 
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. Official market 

. REALLY low 

. Like a small fraction of a percent 

. Alternative markets 
. All over the place 

As good as official 100% malware 
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Quick Malware Tour: Zitmo 
pBTrustPPn 



Building trust online 



Dear Customer! 

Trusteeris glad to announce the new mobile app which protects your phone while working with online 
banking, receiving and sending SMS and making calls. 

Over 22 millions customers, banks and financial instututions use our programm software to make 
payments, transfers and other operations securely. If you're working with our software, your security is 
protected by professionals. 

Please chose your pti one's operating system: 

C iOS(iPhone: 

C BlackBerry k 

f? Android ^^^^^ Please download 

O Symbten (Nokia) ^T tr.apk 

r Otfier 



Quick Malware Tour: Spoof 




Netflix only 
supports 
certain 
devices. 

But "Netflix" 
is available 
for every 
device!! 



Image: Symantec 
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Quick Malware Tour: Repackaged 



C\ P 1 Tl 1 TH 1 android.permission.INTERNET 

^^ LI LI II 11 android.permission.ACCESS_COARSE_LOCATION 

android.permission.READ_PHONE_STATE 
MOn K6V J UITIP android.permission. VIBRATE 



Quick Malware Tour: Repackaged 



. Geinimi 

. MonkeyJump 



android.permission.INTERNET 

android.permission.ACCESS_COARSE_LOCATION 

android.permission.READ_PHONE_STATE 

android.permission.VIBRATE 

com.android.launcher.permission.INSTALL_SHORTCUT 

android.permission.ACCESS_FINE_LOCATION 

android.permission.CALL_PHONE 

android.permission.MOUNT_UNMOUNT_FILESYSTEMS 

android.permission.READ_CONTACTS 

android.permission.READ_SMS 

android.permission.SEND_SMS 

android.permission.SET_WALLPAPER 

android.permission.WRITE_CONTACTS 

android.permission.WRITE_EXTERNAL_STORAGE 

com.android.browser.permission.READ_HISTORY_BOOKM, 

com.android.browser.permission.WRITE_HISTORY_BOOK]V 

android.permission.ACCESS_GPS 

android.permission.ACCESS_LOCATION 

android.permission.RESTART_PACKAGES 

android.permission.RECEIVE_SMS 

android.permission.WRITE_SM 



<intent-filter android :priority=" 65535 "> 

<action android:name="android.provider.Telephony.SMS_RECEIVED"> 

</action> 
17 </intent-filter> 



Quick Malware Tour: Repackaged 



. DroidDream 



* Falling Down 

■ Super Guitar Solo 

* Super History Eraser 

* Photo Editor 

* Super Ringtone Maker 

* Super *** Positions 

* Hot *"*y Videos 

* Chess 

* T!£ &i*_Falldown 

* Hilton *** Sound 

* Screaming *"y Japanese Girls 

* Falling Ball Dodge 

* Scientific Calculator 

* Dice Roller 
*$£## 

* Advanced Currency Converter 

* App Uninstaller 

* Jin i5£#l_PewPew 

* Funny Paint 

* Spider Man 
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Quick Malware Tour: Repackaged 



. DroidDream 
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Quick Malware Tour: Repackaged 



. DroidDream 



* Falling Down 
■ Super Guitar Solo 

* Super History Eraser 

* Photo Editor 

* Super Ringtone Maker 

* Super *** Positions 

* Hot *"*y Videos 
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* T!£ &i*_Falldown 

* Hilton *** Sound 

* Screaming *"y Japanese Girls 

* Falling Ball Dodge 
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*$£## 

* Advanced Currency Converter 

* App Uninstaller 

* Jin c$#l_PewPew 

* Funny Paint 

* Spider Man 



Fake Android Market Security tool 
delivers more than just a cure for Droid 
Dream malware 




• Your location 

coarse (network-based) location, fln< 
(GPS) location 

<s Network communication 



• Storage 

modify/delete SC 

• Phone calls 



• Services that cost you 
money 
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Quick Malware Tour: Rooting 

. RootSmart 
. Repackaged 

. Does not bundle root exploit 
(which might be caught by 
antivirus) 



ACCESS_FINE_LOCATION 

ACCESS_NETWORK_STATE 

ACCESS_WIFI_STATE 

BLUETOOTH 

BLUETOOTH_ADMIN 

CAMERA 

CHANGE_WIFI_STATE 

FLASHLIGHT 

GET_ACCOUNTS 

HARDWARE_TEST 

MODIFY_PHONE_STATE 

READ_SECURE_SETTINGS 

READ_SYNC_SETTINGS 

RECEIVE_BOOT_COMPLETED 

VIBRATE 

WAKE_LOCK 

WRITE_APN_SETTINGS 

WRITE_SECURE_SETTINGS 

WRITE_SETTINGS 

WRITE_SYNC_SETTINGS 



Quick Malware Tour: Rooting 

. RootSmart 
. Repackaged 

. Does not bundle root exploit 
(which might be caught by 
antivirus) 

. Instead dynamically 
downloads GingerBreak 

- Additional permissions 

. Reacts to several phone 
actions 



ACCESS_CACHE_FILESYSTEM 

ACCESS_FINE_LOCATION 

ACCESS_NETWORK_STATE 

ACCESS_WIFI_STATE 

BLUETOOTH 

BLUETOOTH_ADMIN 

CAMERA 

CHANGE_CONFIGURATION 

CHANGE_WIFI_STATE 

DELETE_CACHE_FILES 

DEVICE_POWER 

FLASHLIGHT 

GET_ACCOUNTS 

GET_TASKS 

HARDWAREJTEST 

INTERNET 

MODIFY_PHONE_STATE 

MOUNT_UNMOUNT_FILESYSTEMS 

READ_LOGS 

READ_OWNER_DATA 

READ_PHONE_STATE 

READ_SECURE_SETTINGS 

READ_SYNC_SETTINGS 

RECEIVE_BOOT_COMPLETED 

RESTART_PACKAGES 

SYSTEM_ALERT_WINDOW 

VIBRATE 

WAKE_LOCK 

WRITE_APN_SETTINGS 

WRITE_EXTERNAL_STORAGE 

WRITE_OWNER_DATA 

WRITE_SECURE_SETTINGS 

WRITE_SECURE_SETTINGS 

WRITE_SETTINGS 

WRITE_SYNC_SETTINGS 



Analysis: get an app 

. Download to device then extract via adb 
. Might not want to be a device you like 

. Download directly from the official market 
. android_market_api maybe 

. Download from alternative market 

. Can use normal web browser 

. Get it from malware repository user group, 
etc 



Analysis: What is an app: 
. It's a zip file 



Analysis: What is an app? 

. It's a zip file 

. With an .apk extension (called an APK) 

. Sites may not actually deliver it with said extension 
. AndroidManifest.xml 

. This is where permissions are defined 
. Resources 

. images, audio, etc 
. classes. dex (ALL the Java classes in dex format) 



Analysis: What are the tools? 



. dex2jar 


. Dava 


. ded 


. soot 


. Apktool 


. backsmali 


. adb 


. Ida pro 


. androguard 


. undx 


. AXMLPrinter2 


. dedexer 


. Jad 


. dexid 


. Jd-gui 


. droidbox 


26 
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Analysis: Where to they fit? 



Apktool 



javac 




Jad 

jd-gui 

Dava/soot 



dx 



Dex2jar 

undx 

ded 




Apktool 



apkbuilder 



unzip 




Dexdump 
Dedexer 
Idapro 
backsmali 




Adapted from 
http://deveioper.android.com/guide/developing/building/index.html 



Analysis: Demos 

. Sample program 
. Real malware 



Attack Chart 



No Physical Access 




No Privileged 
Access Needed 



No Privileged 
Access Needed 



Unprivileged Access 



Remote Exploitation 

T 



Privileged Access Needed 




All Your Droid are Belong to Us, WOOT 2011 



Attack Chart 




Privileged Access Needed 



All Your Droid are Belong to Us, WOOT 2011 



Attack Chart 




Privileged Access Needed 



All Your Droid are Belong to Us, WOOT 2011 



Big Problems: network boundary 

. Mobile devices as hop points 

. Such as to corp network 
. Where does IDS for the phone go? 



Big Problems: Who is the device admin? 



Not you. 



Big Problems: rooting 

. Devices aren't really setup for root users 

. Malware that roots for you 

. Malware that targets rooted phones 

. Or custom ROMs 

. Some consider rooting to undermine the 
security of the system 

. What little there is anyway 



Big Problems: antivirus 

. Not easy 

. No "privileged API" available for security 
applications 

. Devices are often resource-constrained 

. Data plans are no longer unlimited 



Similar arguments can be made for other 
security technologies 



Big Problems: updates 



Upstream Projects 
(WebKit, SDK, kernel, ...) 



Eclair Release 
2.0 



Eclair Experimental 



Legend 

— p. Google Contribution 

-*. Community Contribution 

. .». Branch Created 

-► Release Cut 



Y Public devel branch 
y Public release (i.e. stable API) branch 
\ ^ Google private branch 




FroYo Experimental 



Adapted from http://source.android.com/source/code-iines.html 
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Big Problems: updates 



Upstream Projects 
(WebKit, SDK, kernel, ...) 



Eclair Release Eclair Experimental 




Manufacture 



Carrier 



Legend 



User 



Adapted from http://source.android.com/source/code-lines.html 



lyear!? 



Next time a 
user can get a 
new phone 
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Big Problems: updates 



Not Android Specific 



Vulnerability Component Patch User Applies 

Discovered Avajlable pgtch 



->C > D 



Vulnerability 
Disclosed 



Exploit Window 



All Your Droid are Belong to Us, WOOT 2011 



Big Problems: updates 



Not Android Specific 



Vulnerability 
Discovered 



Component Patch 
Available 



->C- 



Vulnerability 
Disclosed 



Android Specific 



Manufacturer Releases User Applies 
Patch Patch 



-> D 



-+ F 



jGoogle Releases Carrier Releases 
Patch Patch 



Exploit Window 



All Your Droid are Belong to Us, WOOT 2011 



Big Problems: updates 



Major releases 
every few 
hundred days 

Minor every 1-2 
months 

What is your 
phone running? 



Version 


Codename 


Release Date 


Delta 
(days) 


1.0 




9-23-2008 




1.1 




2-9-2009 


139 


1.5 


Cupcake 


3-30-2009 


49 


1.6 


Donut 


9-15-2009 


169 


2.0 


Eclair 


10-26-2009 


41 


2.0.1 




12-3-2009 


38 


2.1 




1-12-2010 


40 


2.2 


Froyo 


5-20-2010 


128 


2.3 


Gingerbread 


12-6-2010 


200 


2.3.3 




2-24-2011 


80 


2.3.4 




4-28-2011 


63 


2.3.5 




7-25-2011 


88 


2.3.6 




9-2-2011 


39 



Big Problems: updates 



Nexus One denied Ice Cream Sandwich, becomes 
e ^ official relic of Android's yesteryears 

P| ^ By Joseph Volpc Q posted Oct 26th 201 1 3:27PM 

M 
m 

W 
pP 
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I want to play at home 

. Buy a phone! 

. Or the Android SDK is easy to install and has 
an emulator 



. Digital Forensics Research Conference 
challenge files: 

. http://dfrws.org/2011/challenge/index.shtml 

. Honeynet "Movile Challenge" 

. http://www.honeynet.org/node/751 



Thank you! 



Tim Vidas 
tvidas(3)secureworks.corn 



